Blunting the Phisher's Spear: A Risk-Based Approach for Defining User Training and Awarding Administrative Privileges

Presented at Black Hat USA 2016, Aug. 4, 2016, 9 a.m. (25 minutes).

Solving the "people problem" of cyber security requires us to understand why people fall victim to spear phishing. Unfortunately, the only proactive solution being used against spear phishing is user training and education. But, judging from the number of continued breaches, training appears to be limited in its effectiveness. Today's leading cybersecurity training programs focus on hooking people in repeated simulated spear phishing attacks and then showing them the nuances in the emails they missed. This "gotcha game" presumes that users merely lack knowledge, and if they are told often enough and repeatedly shown what they lack, they would become better at spear phishing detection. This is akin to trying to teach people to drive by constantly causing accidents and then pointing out why they had an accident each time.

We propose a radical change to this "one-size-fits all" approach. Recent human factors researchthe Suspicion, Cognition, Automaticity Model (SCAM) [1]identifies a small set of factors that lead to individual phishing victimization. Using the SCAM, we propose the development of an employee Cyber Risk Index (CRI). Similar to how financial credit scores work, the CRI will provide security analysts the ability to pinpoint the weak-links in organizations and identify who is likely to fall victim, who needs training, how much training, and also what the training should focus on. The CRI will also allow security analysts to identify which users get administrative access, replacing the current mostly binary, role-based apportioning method, where individuals are given access based on their organizational role and responsibilities, with a system that is based on individuals' quantified cyber risk propensity. The CRI based approach we present will lead to individualized, cognitive-behavioral training and an evidence-based approach to awarding users' admin privileges. These are paradigm-changing solutions that will altogether improve individual cyber resilience and blunt the effectiveness of spear phishing.


Presenters:

  • Arun Vishwanath - University at Buffalo
    Arun Vishwanath studies the "people problem" of cyber security. His research focuses on improving individual, organizational, and national resilience to cyber attacks by focusing on the weakest links in cyber securityall of us Internet users. Arun's interest is in understanding why organizational insiders willingly exfiltrate sensitive organizational data; why people become unintentional insiders by falling prey to social engineering attacks that come-in through email and social media; and on ways we can harness this understanding to secure cyber space. He also examines how various groups-criminal syndicates, terrorist networks, hacktivists-utilize cyber space to commit crime, spread mis-information, recruit operatives, and radicalize others. Arun's research on improving cyber resilience against online social engineering has been funded by the National Science Foundation. He has written and published over two-dozen articles on technology users and cyber security issues and his research has been presented to principals at national security and law enforcement agencies around the world. Arun's research has also been featured on CNN, USA Today, Politico, and many other national and international news outlets.

Links:

Similar Presentations: